b'                                            UNCLASSIFIED\n\n\n\n\n\n                   UNITED STATES DEPARTMENT OF STATE \n\n               AND THE BROADCASTING BOARD OF GOVERNORS\n\n                               OFFICE OF INSPECTOR GENERAL\n\n\nAUD-FM-13-23                                     Office of Audits                                       March 2013\n\n\n\n\n               Audit of Department of State\n\n                FY 2012 Compliance With\n\n             Improper Payments Requirements\n\n\n\n\n\nIMPORTANT NOTICE: This report is intended solely for the official use of the Department of State or the\nBroadcasting Board of Governors, or any agency or organization receiving a copy directly from the Office of\nInspector General. No secondary distribution may be made, in whole or in part, outside the Department of State or\nthe Broadcasting Board of Governors, by them or by other agencies of organizations, without prior authorization by\nthe Inspector General. Public availability of the document will be determined by the Inspector General under the\nU.S. Code, 5 U.S.C. 552. Improper disclosure of this report may result in criminal, civil, or administrative penalties.\n\n\n\n\n                                            UNCLASSIFIED\n\n\x0c                                                             United Statf\'s Department of State\n                                                             and the Broadcasting Board of Governors\n\n                                                             OjfiCll ofInspector General\n\n\n\n\n                                             PREFACE\n\n        This report is being transmitted pursuant to the Inspector General Act of 1978, as\namended, and Section 209 of the Foreign Service Act of 1980, as amended. It is one ofa series\nof audit, inspection, investigative, and special reports prepared as part of the Office of Inspector\nGeneral\'s (OIG) responsibility to promote effective management, accountability, and positive\nchange in the Department of State (Department) and the Broadcasting Board of Governors.\n\n       This report addresses the Department\'s FY 20 12 compliance with improper payments\nrequirements. The report is based on interviews with Department employees and officials and a\nreview of applicable documents.\n\n       OIG contracted with the independent public accountant, Kearney & Company, P.c.\n(Kearney), to perform this audit. The contract required that Kearney perform its audit in\naccordance with guidance contained in Government Auditing Standards, issued by the\nComptroller General of the United States. Kearney\' s report is included.\n\n       Kearney identified three areas in which improvements could be made: risk assessment\nprocess, recapture audits, and improper payments disclosures.\n\n       OIG evaluated the nature, extent, and timing of Kearney\'s work; monitored progress\nthroughout the audit; reviewed Kearney\'s supporting documentation; evaluated key judgments;\nand performed other procedures as appropriate. OIG concurs with Kearney\'s findings, and the\nrecommendations contained in the report were developed on the basis of the best knowledge\navailable and were discussed in draft form with those individuals responsible for\nimplementation. ~iG\'s analysis of management\'s response to the recommendations has been\nincorporated into the report. OIG trusts that this report will result in more effective, efficient,\nand/or economical operations.\n\n        I express my appreciation to all of the individuals who contributed to the preparation of\nthis report.\n\n\n\n                                       Harold W. Geisel\n                                       Deputy Inspector General\n\n\n\n\n                                         UNCLASSIFIED \n\n\x0c                                                       1701 Duke Street, Suite 500, Alexandria, VA 22314\n                                                       PH: 703.931.5600, FX: 703.931.3655, www.kearneyco.com\n\n\n\n\nAudit of Department of State FY 2012 Compliance With Improper Payments Requirements\n\n\n\nOffice of Inspector General\nU.S. Department of State\nWashington, D.C.\n\n\nKearney & Company, P.C. (referred to as \xe2\x80\x9cwe\xe2\x80\x9d in this letter), has performed an audit of the\nDepartment of State\xe2\x80\x99s (Department) FY 2012 compliance with the Improper Payments\nInformation Act of 2002, as amended by the Improper Payments Elimination and Recovery Act\nof 2010. We evaluated the Department\xe2\x80\x99s performance in complying with the requirements set\nforth by the Office of Management and Budget. This performance audit, performed under\nContract No. SAQMMA09D0002, was designed to meet the objectives identified in the report\nsection titled \xe2\x80\x9cObjective\xe2\x80\x9d and further defined in Appendix A, \xe2\x80\x9cScope and Methodology,\xe2\x80\x9d of the\nreport.\n\nWe conducted this performance audit from December 2012 through February 2013 in\naccordance with Government Auditing Standards, issued by the Comptroller General of the\nUnited States. We communicated the results of our performance audit and the related findings\nand recommendations to the U.S. Department of State Office of Inspector General.\n\nWe appreciate the cooperation provided by personnel in Department offices during the audit.\n\n\n\n\nKearney & Company, P.C.\nAlexandria, VA\nMarch 14, 2013\n\n\n\n\n                                      UNCLASSIFIED\n\n\x0c                                  UNCLASSIFIED\n\n\n\n______________________________________________________________________________\nAcronyms\nAFR               Agency Financial Report\nCBJ               Congressional Budget Justification\nCGFS              Bureau of the Comptroller and Global Financial Services\nCGFS/DCFO/MC      Bureau of the Comptroller and Global Financial Services, Deputy Chief\n                    Financial Officer, Office of Management Controls\nCGFS/F/C          Bureau of the Comptroller and Global Financial Services, Office of\n                    Claims\nCGFS/OMA          Bureau of the Comptroller and Global Financial Services, Office of\n                    Management and Analysis\nFAH               Foreign Affairs Handbook\nIPERA             Improper Payments Elimination and Recovery Act of 2010\nIPIA              Improper Payments Information Act of 2002\nOIG               Office of Inspector General\nOMB               Office of Management and Budget\n\n\n\n\n                                  UNCLASSIFIED\n\n\x0c                                                          UNCLASSIFIED\n\n\n\n                                                        Table of Contents\n\n\xc2\xa0\n\nSection                                                                                                                                  Page\n\nExecutive Summary .........................................................................................................................1 \n\n\nBackground\xe2\x80\xa6. .................................................................................................................................2 \n\n\nObjective\xe2\x80\xa6\xe2\x80\xa6. .................................................................................................................................4 \n\n\nAudit Results ..................................................................................................................................4 \n\n       Finding A. Program Risk Assessments Were Performed, but Methodology Needs\n       Refinement ...........................................................................................................................4 \n\n       Finding B. Controls Successfully Implemented To Prevent, Detect, and Recapture\n       Improper Payments But Need To Be Strengthened ...........................................................11 \n\n       Finding C. Most Improper Payments Disclosures Were Made, but Some Were\n       Omitted or Were Inaccurate ...............................................................................................17 \n\n\nList of Recommendations ..............................................................................................................20 \n\n\nAppendices\n      A. Scope and Methodology................................................................................................21 \n\n      B. Bureau of the Comptroller and Global Financial Services Response ...........................23 \n\n\n\n\n\n                                                          UNCLASSIFIED\n\n\x0c                                           UNCLASSIFIED\n\n\n                                        Executive Summary\n\n        Federal agencies reported an estimated $108 billion in improper payments in FY 2012.\nOver the past decade, the Federal Government has implemented safeguards to reduce improper\npayments. In 2010, the Improper Payments Elimination and Recovery Act1 (IPERA), which\namended the Improper Payments Information Act of 20022 (IPIA), was signed into law. IPERA\nstrengthened IPIA by increasing requirements for identifying and reporting on improper\npayments. In April 2011, the Office of Management and Budget (OMB) issued guidance to\nimplement IPERA.\n\n         IPIA requires agencies\xe2\x80\x99 Offices of Inspector General (OIG) to annually assess\ncompliance with improper payments requirements. In accordance with this requirement,\nKearney & Company, P.C. (Kearney), an external audit firm acting on OIG\xe2\x80\x99s behalf, conducted\nthe first annual audit of the Department of State\xe2\x80\x99s (Department) FY 2011 compliance and\nreported in 20123 that although the Department had taken steps to comply with IPIA, the\nDepartment had not implemented all requirements for identifying and reporting improper\npayments. OIG recommended that the Department develop policies and standard procedures for\ncomplying with IPIA, as amended by IPERA.4\n\n       Kearney conducted this second annual audit to assess the Department\xe2\x80\x99s FY 2012\ncompliance with IPIA. Kearney found that the Department performed program-specific risk\nassessments for programs that experienced significant changes. The Department had also\ndeveloped risk assessment policies and procedures and expanded and refined its risk assessment\nmethodology to include the qualitative risk factors included in OMB\xe2\x80\x99s guidance. Although the\nDepartment made improvements in its risk assessment methodology during FY 2012, the\nmethods it used to identify significant changes and perform qualitative assessments need\nimprovement. In addition, the Department had not performed a baseline risk assessment of all\nprograms, but a Department official indicated that the risk assessments would be performed\nduring FY 2013. Before it performs baseline risk assessments in FY 2013, the Department\nshould improve its definition of a \xe2\x80\x9cprogram\xe2\x80\x9d as well as its process for identifying programs.\n\n       Kearney also found that the Department had implemented a program of internal control\nto prevent, detect, and recapture improper payments and identified $11.1 million in improper\npayments during FY 2012. However, the Department excluded a significant amount of\npayments from its recapture audits, and the audits were focused on payments rather than on\nprograms. Although the Department was analyzing ways to perform recapture audits over\nexcluded payment types, it had not completed that analysis at the time of this audit. The\nDepartment had included most of the required improper payments disclosures in its FY 2012\nAgency Financial Report (AFR); however, some disclosures were omitted or were inaccurate.\n\n\n\n1 Pub. L. No. 111-204.\n\n2 Pub. L. No. 107-300.\n\n3 Audit of Department of State Compliance With the Improper Payments Information Act (AUD/FM-12-31, March \n\n2012). \n\n4 Unless otherwise indicated, the term \xe2\x80\x9cIPIA\xe2\x80\x9d means \xe2\x80\x9cIPIA, as amended by IPERA,\xe2\x80\x9d in this report.\n\n\n                                                     1\n\n                                           UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n        Based on the actions that the Department has taken since the 2012 report, OIG is closing\nthe three recommendations in the 2012 report upon issuance of this report. However, OIG is\nmaking three new recommendations for the Department to improve the risk assessment process,\nexpand recapture audits, and disclose all required improper payments information.\n\n       In its March 13, 2013, response (see Appendix B) to the draft report, the Bureau of the\nComptroller and Global Financial Services (CGFS) concurred with all of the report\xe2\x80\x99s\nrecommendations. Based on the response, OIG considers each recommendation resolved,\npending further action. Management\xe2\x80\x99s responses and OIG\xe2\x80\x99s replies to those responses are\nincluded after each recommendation.\n\n                                               Background\n        According to OMB, Federal agencies reported an estimated $108 billion in improper\npayments, funded by taxpayer dollars, that were issued to individuals, organizations, and\ncontractors during FY 2012. Improper payments are payments that should not have been made\nor that were made in an incorrect amount. Improper payments include overpayments and\nunderpayments, duplicate payments, payments made to an ineligible recipient, payments for an\nineligible good or service, payments for goods or services not received (except for such\npayments authorized by law), payments that do not account for credit for applicable discounts,\nand payments for which an agency could not determine whether the payments were proper\nbecause of insufficient documentation or lack of supporting documentation.\n\n        Over the past decade, the Federal Government has implemented safeguards to reduce\nimproper payments. IPIA, as initially enacted in 2002, required Federal agencies to annually\nidentify programs and activities5 at high risk of improper payments, estimate the amount of\nimproper payments in those programs, perform recovery auditing if program payments exceeded\n$500 million, and report to Congress on steps taken to reduce improper payments.\n\n       In July 2010, IPERA, which amended IPIA, was enacted in an effort to further reduce\nimproper payments. IPERA clarified the programs to be reviewed and expanded improper\npayments recapture activities. IPERA also required Inspectors General to determine whether an\nagency was in compliance and established additional requirements for agencies that were\ndeemed noncompliant.\n\n       In 2011, OMB issued Government-wide guidance on the implementation of IPERA as\nRevised Parts I and II to Appendix C of OMB Circular A-123, Management\xe2\x80\x99s Responsibility for\nInternal Controls.6 The guidance, among other things, defines the programs and payments that\nagencies must assess for the risk of improper payments and provides requirements for\ndetermining whether the risk of improper payments is significant, for developing an estimate of\nimproper payments, for performing recapture audit activities, and for reporting improper\npayments activities.\n\n\n5The term \xe2\x80\x9cprogram and activity\xe2\x80\x9d is referred to in this report as \xe2\x80\x9cprogram.\xe2\x80\x9d \n\n6OMB Circular A-123, Appendix C, Revised Parts I and II, will be referred to in this report as OMB Circular A-\n123, Appendix C.\n\n                                                        2\n\n                                             UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\n\nDepartment of State Payments\n\n        The Department is the primary agency through which the U.S. Government conducts its\ndiplomacy. The Department operates more than 270 embassies, consulates, and other posts\nworldwide. The Department provides policy guidance, program management, administrative\nsupport, and in-depth expertise in areas such as law enforcement, economics, the environment,\nintelligence, arms control, human rights, counternarcotics, counterterrorism, public diplomacy,\nhumanitarian assistance, security, nonproliferation, and consular services.\n\n       Because of the nature and the extent of its programs, the Department makes significant\npayments to third-party vendors, contractors, and grantees. During FY 2012, the Department\nmade payments of approximately $28 billion, of which $14.6 billion was subject to IPIA\nrequirements.7 Of the $14.6 billion, payments of approximately $7.4 billion were to vendors and\ncontractors and payments of $7.2 billion were for Federal Financial Assistance, including grants,\nassessed contributions,8 and voluntary contributions.9 The amount and volume of payments\nmade by the Department, the Department\xe2\x80\x99s emphasis on expediting certain payments (for\nexample, payments for necessary foreign financial assistance), and the decentralized nature of\nthe Department\xe2\x80\x99s operations increase the Department\xe2\x80\x99s risk for improper payments.\n\n        CGFS has oversight responsibilities for the Department\xe2\x80\x99s financial management\nprogram. Financial management program responsibilities include establishing financial policy\nand procedure, financial reporting and analysis, management of financial information systems,\nand management controls. Management controls, also known as \xe2\x80\x9cinternal controls,\xe2\x80\x9d are the\nprocesses designed and implemented by an organization to help it accomplish its goals or\nobjectives. Important internal control activities include those that are aimed at ensuring that only\nvalid, proper payments are made.\n\n       Within CGFS, the Office of Claims (CGFS/F/C) is the central domestic paying agent of\nthe Department. The Office of Oversight and Management Analysis (CGFS/OMA) is\nresponsible for, among other things, ensuring compliance with financial laws, policies, and\nprocedures and for performing internal control and quality control reviews. The Deputy Chief\nFinancial Officer, Office of Management Controls (CGFS/DCFO/MC), is responsible for\noverseeing the Department\xe2\x80\x99s management control program and other financial management\nfunctions, such as administering compliance with OMB Circular A-123, Appendix C.\n\n\n\n\n7 OMB Circular A-123, Appendix C, states that agencies may, but are not obligated to, review payments to\n\nemployees and intragovernmental transactions for improper payments unless directed to do so by OMB. Of the\n\npayments of $28 billion, payments of approximately $7.4 billion were to employees and payments of $6 billion were \n\nintragovernmental and intradepartmental transactions. \n\n8 Assessed contributions represent financial assistance to foreign countries, international societies, commissions, \n\nproceedings, or projects that are agreed to as part of a treaty or other agreement.\n\n9 Voluntary contributions represent discretionary financial assistance provided to foreign countries, international \n\nsocieties, commissions, proceedings, or projects. \n\n                                                         3\n\n                                              UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\nPrior OIG Reports\n\n        In 2012, OIG reported10 that although the Department had taken steps to comply with\nIPIA, the Department\xe2\x80\x99s improper payments risk assessment methodology was insufficient,\nrecapture audit activities were not performed for all types of improper payments or all payments,\nand some improper payments disclosures required to be included in the AFR were omitted or\nwere inaccurate. OIG recommended that the Department develop policies and standardized\nprocedures for performing improper payments risk assessments and recapture audit activities and\nfor reporting information relating to improper payments in its AFR. These recommendations\nremained resolved but open at the time of the fieldwork for this audit.\n\n                                           Objective\n\n       The overall objective of this audit was to determine whether the Department was in\ncompliance with IPIA. To accomplish this objective, Kearney\n\n      \xef\x82\xb7\t Evaluated whether the Department conducted a program-specific risk assessment for all\n         programs.\n\n      \xef\x82\xb7\t Evaluated the Department\xe2\x80\x99s performance in preventing, detecting, and recapturing\n         improper payments.\n\n      \xef\x82\xb7\t Determined whether the Department reported the required improper payments \n\n         information in its 2012 AFR. \n\n\n                                         Audit Results\n\nFinding A. Program Risk Assessments Were Performed, but Methodology\nNeeds Refinement\n\n        During FY 2012, the Department performed program-specific risk assessments for\nprograms that experienced significant changes. Specifically, CGFS/DCFO/MC identified\nprograms with significant legislative changes or significant funding changes, which\nCGFS/DCFO/MC identified as changes over $100 million, from FY 2010 to FY 2011.\nCGFS/DCFO/MC performed a qualitative risk assessment of these programs, in accordance with\nOMB Circular A-123, Appendix C. CGFS/DCFO/MC had also developed risk assessment\npolicies and procedures and expanded and refined its risk assessment methodology. However,\nthe methods used to identify programs with significant changes and to perform the qualitative\nrisk assessments need improvements.\n\n        Although CGFS/DCFO/MC performed a risk assessment of the programs that it defined\nas having significant changes, CGFS/DCFO/MC had not performed a baseline risk assessment of\nall programs as required by IPIA. During FY 2011 and FY 2012, only nine programs were\nassessed. CGFS/DCFO/MC stated that it did not perform a full baseline risk assessment in FY\n10   AUD/FM-12-31, March 2012.\n                                                4\n\n                                        UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\n2012 because of resource limitations and its focus on developing formal policies and procedures.\nAccording to a CGFS/DCFO/MC official, all significant programs will be evaluated during the\nFY 2013 risk assessment. In addition, during FY 2012, CGFS/DCFO/MC defined \xe2\x80\x9cprogram\xe2\x80\x9d as\na combination of allotments and function codes; however, it had not applied the definition\nconsistently. Without a full baseline risk assessment and a consistent definition of program, the\nDepartment may not have ensured that all programs at risk for significant improper payments\nwere identified and adequately assessed.\n\nPrograms With Significant Changes Were Identified\n\n        IPIA requires agencies to periodically review all programs and identify those that may be\nsusceptible to significant improper payments. OMB Circular A-123, Appendix C, defines\n\xe2\x80\x9csignificant improper payments\xe2\x80\x9d as gross annual improper payments in the program exceeding\n(1) both 2.5 percent of program outlays and $10 million of all program payments made during\nthe fiscal year or (2) $100 million. The Circular requires that agencies review all programs for\nsusceptibility for significant improper payments in FY 2011 and every 3 years thereafter for\nprograms deemed not risk susceptible. However, if a program experiences significant legislative\nor funding changes, the program must be reassessed during the next annual cycle.\n\n        In FY 2012, CGFS/DCFO/MC performed risk assessments for programs that experienced\nsignificant legislative or funding changes from FY 2010 to FY 2011. For risk assessment\npurposes, CGFS/DCFO/MC elected to identify its programs using a combination of financial\naccounting codes\xe2\x80\x93the allotment and function codes. CGFS/DCFO/MC defined a significant\nchange in program funding as an increase of over $100 million.\n\n        To identify programs that had significant changes in legislation, CGFS/DCFO/MC\nreviewed the Department\xe2\x80\x99s FY 2011 Congressional Budget Justification (CBJ). The CBJ noted\nthat the primary increase in funding and activity for the year was due to war efforts in Iraq,\nAfghanistan, and Pakistan, with particular emphasis on Iraq. Based on this information,\nCGFS/DCFO/MC selected Iraq Overseas Contingency Operations for further evaluation.\nCGFS/DCFO/MC determined that the most significant function codes for Iraq Overseas\nContingency Operations were the following: Bodyguard and Armed Escort, Non-Residential\nLocal Guard Program, All Other Guard Service, Armored Vehicles, Perimeter and Internal\nSecurity, and Security Training Programs.\n\n       To identify programs with significant increases in funding, CGFS/DCFO/MC obtained\nthe FY 2011 and FY 2010 expenditures11 subject to IPIA from its domestic financial\nmanagement system. CGFS/DCFO/MC then grouped the expenditures for each year by function\ncode and calculated the change in spending from FY 2010 to FY 2011 for each function code.\nBased on this calculation, CGFS/DCFO/MC identified four function codes as having\nexperienced significant, over $100 million, funding changes:\n\n          \xef\x82\xb7    UN Organization Mission in the Democratic Republic of the Congo \n\n          \xef\x82\xb7    Bodyguard and Armed Escorts \n\n\n\n11   For its analysis, CGFS/DCFO/MC used expenditures rather than funding.\n                                                        5\n\n                                              UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n\n\n       \xef\x82\xb7   Promote the Rule of Law and Administration of Justice \n\n       \xef\x82\xb7   Civilian Police Programs \n\n\n       CGFS/DCFO/MC grouped the payments from two of the four function codes identified\nas having experienced significant funding changes into other programs. Specifically, the\nUN Organization Mission in the Democratic Republic of the Congo payments were for assessed\ncontributions. CGFS/DCFO/MC determined that, because of the unique nature of assessed and\nvoluntary contributions, it would perform risk assessments for these entire payment categories.\nTherefore, Democratic Republic of the Congo payments were incorporated into the Assessed\nContribution program. In addition, as noted, CGFS/DCFO/MC grouped Bodyguard and Armed\nEscorts payments into Iraq Overseas Contingency Operations, since the Bodyguard and Armed\nEscorts function code was identified as significant to that program.\n\n      Based on its analysis, CFGS/DCFO/MC selected the following five programs for\nFY 2012 risk assessments:\n\n       \xef\x82\xb7   Assessed Contributions \n\n       \xef\x82\xb7   Voluntary Contributions \n\n       \xef\x82\xb7   Promote the Rule of Law and Administration of Justice \n\n       \xef\x82\xb7   Civilian Police Programs \n\n       \xef\x82\xb7   Iraq Overseas Contingency Operations \n\n\n        The payments for the function codes grouped within these five programs amounted to\n$5.5 billion, or almost 38 percent, of the $14.6 billion in payments subject to IPIA.\n\nQualitative Assessments Were Performed\n\n         OMB Circular A-123, Appendix C, requires that agencies institute a systematic method\nof performing risk assessments. An agency can perform a quantitative evaluation based on a\nstatistical sample, or it can perform a qualitative evaluation by considering risk factors likely to\ncontribute to significant improper payments. For qualitative evaluations, the Circular lists eight\nrisk factors that should be considered: the age of the program; the complexity of the program;\nthe volume of payments made annually; a determination as to whether payment eligibility\ndecisions were made outside of the agency; recent major changes in the program; the level,\nexperience, and quality of training of certain personnel; significant deficiencies identified in\naudit reports; and results from prior improper payment work.\n\n        During FY 2012, CGFS/DCFO/MC performed and documented a qualitative risk\nassessment of each of the five selected programs. To perform the assessment, CGFS/DCFO/MC\ndeveloped a scorecard for each program that included an evaluation of the eight risk factors\nspecified by OMB. CGFS/DCFO/MC obtained information for its evaluation by reviewing the\nCBJ, Web sites, and external and internal reports. Based on the information obtained,\nCGFS/DCFO/MC assigned a numerical rating of 1 (low risk), 2 (moderate risk), or 3 (high risk)\nfor each risk factor and averaged the ratings to determine an overall risk level for each program.\nThe overall ratings for each program assessed indicated that three programs had low risk and two\nprograms had moderate risk. Based on the qualitative risk assessment, CGFS/DCFO/MC\n                                                  6\n\n                                         UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\nconcluded that none of the programs assessed were deemed susceptible to significant improper\npayments as defined by OMB Circular A-123, Appendix C.\n\nRisk Assessment Methodology Was Improved, but Methods To Identify the Significant\nChanges Threshold and Perform Qualitative Assessments Need Refinement\n\n         Kearney found that the Department made improvements during FY 2012 to address the\nissues relating to its risk assessment methodology identified during the audit of the Department\xe2\x80\x99s\nFY 2011 compliance with IPIA. CGFS/DCFO/MC documented formal policies and procedures\nfor the risk assessments. It also expanded and refined its risk assessment methodology.\nSpecifically, CGFS/DCFO/MC defined a \xe2\x80\x9cprogram,\xe2\x80\x9d incorporated the required OMB risk factors\ninto its qualitative assessments, and correctly calculated the significant improper payment\nthreshold for each of the five programs for which an assessment was performed. However, the\nmethods used to identify programs with significant changes and perform the qualitative\nassessments need refinements to ensure that all programs at risk for significant improper\npayments are identified and adequately assessed.\n\n       Significant Changes Threshold\n\n       The method used to identify programs with significant funding changes needed\nrefinement. The use of the $100 million threshold may not have identified all programs that had\nincreased risks because of increased funding. Specifically, Kearney identified function codes\nwith increases in expenditures of less than $100 million, CGFS/DCFO\xe2\x80\x99s threshold for\nassessment. However, the increases represented large percentage increases in spending. For\nexample:\n\n   \xef\x82\xb7   The Aviation Support function code had payments of $123.9 million in FY 2010 and\n       $210.7 million in FY 2011, an increase of $86.68 million, or 70 percent.\n   \xef\x82\xb7   The Program Development and Support function code had payments of $72.6 million in\n       FY 2010 and $156.6 million in FY 2011, an increase of $83.9 million, or 116 percent.\n   \xef\x82\xb7   The Public Diplomacy Program Direction function code had payments of $53.3 million\n       in FY 2010 and $123.8 million in FY 2011, an increase of $70.5 million, or 132 percent.\n        While these programs saw expenditure increases below CGFS/DCFO\xe2\x80\x99s threshold, each\nprogram had significant increases in spending over their FY 2010 baseline expenses. Programs\nthat have large spikes in spending are at risk for making improper payments. Although larger\nprograms that incur billions of dollars in spending a year may be able to handle the increased\nworkload that an additional $100 million in payments entails, a smaller program that sees\nspending double in a fiscal year may not have sufficient resources or an adequate control\nstructure in place to handle dramatic increases in program spending.\n\n       Qualitative Assessments\n\n       Kearney also identified areas for improvement in the qualitative assessments.\nSpecifically,\n\n\n                                                7\n\n                                       UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\n\n     \xef\x82\xb7\t CGFS/DCFO/MC performed the qualitative risk assessments without obtaining input\n        from the bureaus or offices that had oversight of the programs.12 Bureau program\n        personnel are the best source for information about their respective programs and\n        associated risks. Without input from program managers, CGFS/DCFO/MC may not be\n        aware of factors that could increase or decrease a program\xe2\x80\x99s risk. In addition, the use of\n        outdated or inaccurate information obtained from a Web site or outdated reports may lead\n        to an incorrect assessment of program risk. This issue was first reported in the 2012\n        report on the Department\xe2\x80\x99s FY 2011 compliance with IPIA.\n\n     \xef\x82\xb7\t Although CGFS/DCFO/MC developed objective, quantitative definitions of the risk level\n        for six of the eight risk factors evaluated, it did not do so for two risk factors. For\n        example, for the risk factor \xe2\x80\x9ccomplexity of the program,\xe2\x80\x9d the scorecard defined high\n        complexity as being at high risk. In addition, for the risk factor \xe2\x80\x9clevel, experience, and\n        quality of training of personnel,\xe2\x80\x9d the scorecard defined low risk as \xe2\x80\x9cin compliance\xe2\x80\x9d and\n        high risk as \xe2\x80\x9cnot in compliance.\xe2\x80\x9d No additional details were provided on how these\n        factors should be judged.\n\n     \xef\x82\xb7\t For the risk factor \xe2\x80\x9cvolume of payments made,\xe2\x80\x9d CGFS/DCFO/MC analyzed the dollar\n        value of payments instead of the number or frequency of payments.\n\nBaseline Programmatic Risk Assessments Were Not Performed\n\n       Although CGFS/DCFO/MC performed a risk assessment of the programs that it defined\nas having significant changes, as of the end of fieldwork for this audit CGFS/DCFO/MC had not\nperformed an assessment of all programs as required by IPIA. During the audit of the\nDepartment\xe2\x80\x99s FY 2011 compliance with IPIA, Kearney found that CGFS/DCFO/MC did not\nconduct full baseline risk assessments of all programs. In FY 2011, CGFS/DCFO/MC assessed\nonly four programs: Construction, Retirement, African Union-United Nations Hybrid Mission in\nDarfur, and Near East Refugee Programs.\n\n        CGFS/DCFO/MC also did not conduct the baseline risk assessments of all programs in\nFY 2012. At the time of this audit, CGFS/DCFO/MC had assessed a total of nine programs for\nthe risk of significant improper payments\xe2\x80\x93five in FY 2012 and four in FY 2011. Kearney\nidentified 14 function codes that each had payments in FY 2011 of over $100 million that were\nnot assessed in FY 2011 or FY 2012. For example, the Fulbright Program (function code 2300),\nwith payments of $257 million in FY 2011, and Maintenance and Repair of Short Term Leases\nfor Residential Facilities (function code 7340), with payments of $313.5 million in FY 2011, had\nnever been assessed.\n\n       Further, CGFS/DCFO/MC defined \xe2\x80\x9csignificant programs\xe2\x80\x9d as those programs with over\n$100 million in payments. Therefore, function codes with payments of less than $100 million\nwere not assessed. Kearney identified over 600 function codes with total payments of less than\n$100 million in FY 2011. Additional analyses of these function codes may identify\n\n12 Although CGFS/DCFO/MC did not obtain input during its initial qualitative risk assessments, Kearney noted that\nthe risk assessment policy requires that CGFS/DCFO/MC obtain input from bureaus and offices for programs that\nare identified as high risk during the initial assessment.\n                                                        8\n\n                                             UNCLASSIFIED\n\x0c                                             UNCLASSIFIED\n\n\nprogrammatic groups that would meet the Department\xe2\x80\x99s $100 million significant programs\nthreshold.\n\n       A CGFS/DCFO/MC official stated that a full baseline risk assessment was not performed\nin FY 2012 because of resource limitations and the focus on developing formal policies and\nprocedures. CGFS/DCFO/MC\xe2\x80\x99s analysis indicated that programs of over $100 million that had\nnot been subjected to risk assessment totaled only $2.5 billion, or 16.9 percent of total net\nexpenditures. A CGFS/DCFO/MC official stated that all significant programs would be\nevaluated during the FY 2013 risk assessment.\n\n        Without a baseline risk assessment of all programs, CGFS/DCFO/MC may not have\nidentified all programs with the risk of significant improper payments. A strong risk assessment\nprocess is the starting point for any successful improper payments reduction and recapture\nprogram. The information developed during a risk assessment forms the foundation upon which\nmanagement can determine the nature and type of controls in place and identify control\nimprovements to reduce risks and ultimately reduce improper payments.\n\nProgram Definition and Identification Need Improvement\n\n        Before CGFS/DCFO/MC performs its baseline risk assessments in FY 2013, it should\nimprove its definition of a \xe2\x80\x9cprogram\xe2\x80\x9d as well as its process for identifying programs. During the\naudit of the Department\xe2\x80\x99s FY 2011 efforts to comply with IPIA, Kearney identified concerns\nwith how the Department defined and selected programs for its risk assessment process. OMB\nCircular A-123, Appendix C, states that for improper payment risk assessment procedures, a\nprogram includes \xe2\x80\x9cactivities or sets of activities recognized as programs by the public, OMB, or\nCongress, as well as those that entail program management or policy direction.\xe2\x80\x9d In FY 2011,\nCGFS/DCFO/MC initially identified programs by expense category and then grouped some\nexpenses into subcategories. Based on the audit findings, in its 2012 report OIG recommended\nthat CGFS develop a comprehensive definition of programs.\n\n        During FY 2012, CGFS/DCFO/MC developed policies that included a definition of a\nprogram. Specifically, the guidance stated that for risk assessment purposes, \xe2\x80\x9cThe Department\nhas elected to define its programs as a combination of allotments and functions codes, depending\non their materiality.\xe2\x80\x9d According to the Foreign Affairs Handbook (FAH),13 an allotment code is\nused to designate the bureaus, offices, or posts that are responsible for funds. For example\nallotment code 1024 is the Bureau of Consular Affairs. The FAH14 states that function codes\nshow the purpose of the payment and are used to meet the Department\xe2\x80\x99s requirements for\nidentifying and classifying the programs under the Department\xe2\x80\x99s appropriation. For example, the\nDepartment has function codes for activities such as Arms Control and the Africa Refugee\nProgram.\n\n       Although the guidance stated that CGFS/DCFO/MC would use a combination of\nallotment and function codes to identify programs, initially CGFS/DCFO/MC identified\nprograms with significant changes only by assessing function codes. However, based on a\n\n13   4 FAH-1 H-310, \xe2\x80\x9cAllotment Authority and Allotment and Operating Allowance Codes.\xe2\x80\x9d\n14   4 FAH-1 H-510, \xe2\x80\x9cFunction Classification Structure.\xe2\x80\x9d\n                                                       9\n\n                                             UNCLASSIFIED\n\x0c                                               UNCLASSIFIED\n\n\nqualitative consideration of factors such as common internal control environments,\nCGFS/DCFO/MC elected to combine certain function codes within the five programs it selected\nfor assessments: Assessed Contributions, Voluntary Contributions, Promote the Rule of Law\nand Administration of Justice, Civilian Police Programs, and Iraq Overseas Contingency\nOperations. Not all of these programs were allotments or function codes, which was inconsistent\nwith CGFS/DCFO/MC policies.\n\n        In addition, CGFS/DCFO/MC did not always ensure that payments associated with each\nprogram were related to that program. For example, CGFS/DCFO/MC grouped all Department\nexpenditures for six function codes under Iraq Overseas Contingency Operations, even though\nsome of these expenditures were made in other locations, including Afghanistan and Pakistan.\nAlthough the programs identified by CGFS/CCFO/MC for risk assessments in FY 2012 may\nhave been relevant, without a clear, consistently applied definition of a program,\nCGFS/DCFO/MC cannot document that it had grouped payments with similar risk profiles and\nthat the programs chosen had met the intent of IPIA.\n\n        In addition to refining the definition of a program, CGFS/DCFO/MC also needs to\ndevelop a methodology to extract payments related to the identified programs in a cost-effective\nand timely manner. According to Department officials, one of the reasons for defining programs\nby allotment and function code was that the data was readily available within the financial\nmanagement system.15 Although Kearney believes that it is reasonable for CGFS/DCFO/MC to\nconsider the availability of financial data as one factor when determining the definition of a\nprogram, the availability of financial data should not be the only consideration.\nCGFS/DCFO/MC should also have a strategic perspective when identifying programs. For\nexample, CGFS/DCFO/MC could coordinate with the functional bureaus to identify key\nDepartment programs.\n\n        Before performing the baseline risk assessments, it is essential for CGFS/DCFO/MC to\nestablish and consistently implement a methodology to define and identify a standard list of\nprograms for risk assessment purposes. Flexibility exists for CGFS/DCFO/MC to define\nprograms in a manner that is meaningful to the Department, but refinements are needed in the\ncurrent process.\n\n      The 2012 report on the Department\xe2\x80\x99s FY 2011 compliance with IPIA included a\nrecommendation relating to the Department\xe2\x80\x99s improper payments risk assessment as follows:\n\nRecommendation 1 (AUD/FM-12-31). OIG recommends that the Bureau of Resource\nManagement16 develop policies and standard procedures for performing an improper payments\nrisk assessment. The policies and procedures should include, but not be limited to, the\nfollowing:\n\n\n15 Kearney reported a control deficiency related to the process used by the Department to identify and allocate costs\nin its Statement of Net Cost in the Independent Auditor\xe2\x80\x99s Report on the U. S. Department of State 2012 and 2011\nFinancial Statements (AUD-FM-13-08, Nov. 2012).\n16 Since the 2012 report was issued, the Bureau of Resource Management was restructured. CGFS assumed all\nfinancial management services, programs, and systems activities.\n                                                         10\n\n                                               UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\n\n   \xef\x82\xb7   A comprehensive definition of the programs to be assessed. \n\n   \xef\x82\xb7   A method to ensure that all program costs are identified. \n\n   \xef\x82\xb7   A description of the quantitative and qualitative factors to be considered.\n\n   \xef\x82\xb7   A method to obtain input from the bureaus and offices responsible for the programs. \n\n\n       CGFS/DCFO/MC has developed policies and standard procedures for performing an\nimproper payments risk assessment. Therefore, OIG is closing this recommendation upon the\nissuance of this report. However, the policies and procedures do not address all OMB Circular\nA-123, Appendix C, requirements. Refinements to the improper payments risk assessment\nmethodology are needed to ensure that all programs with the risk of significant improper\npayments are identified and assessed.\n\n       Recommendation 1. OIG recommends that the Bureau of the Comptroller and Global\n       Financial Services\n\n           \xef\x82\xb7\t Conduct full baseline risk assessments for all programs.\n           \xef\x82\xb7\t Refine its definition of a program in accordance with guidance from the Office of\n              Management and Budget and identify programs for risk assessments consistently,\n              using that definition.\n           \xef\x82\xb7 Refine its definition of significant changes in funding to include a consideration\n              of programs with significant percentage changes.\n           \xef\x82\xb7 Refine the risk assessment process to provide additional guidance for rating each\n              risk factor.\n           \xef\x82\xb7 Implement a method to obtain input from the bureaus and offices responsible for\n              the programs.\n\n       CGFS Response: CGFS concurred with the recommendation, stating that it will\n       \xe2\x80\x9cimplement corrective actions as appropriate.\xe2\x80\x9d CGFS also stated that it will \xe2\x80\x9cwork\n       closely with the OIG\xe2\x80\x9d to refine its \xe2\x80\x9cdefinition of programs and conduct full baseline risk\n       assessments in FY 2013.\xe2\x80\x9d\n\n       OIG Reply: OIG considers the recommendation resolved. This recommendation can be\n       closed when OIG reviews and accepts documentation showing that the Department has\n       conducted a baseline risk assessment for all programs, refines its definition of a program\n       and of significant changes, provides additional guidance on risk factors, and obtains\n       information from bureaus and offices that are responsible for the programs.\n\nB. Controls Successfully Implemented To Prevent, Detect, and Recapture\nImproper Payments but Need To Be Strengthened\n       The Department has implemented a program of internal control to prevent, detect, and\nrecapture improper payments. Specifically, the Department had policies and procedures for\nprepayment reviews to prevent improper payments, post-payment reviews to detect improper\npayments, and recapture audits to recover improper payments. The Department\xe2\x80\x99s post-payment\n\n\n                                               11\n\n                                       UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\nreviews and recapture audits have identified and recovered improper vendor payments totaling\nover $60.5 million since FY 2007.17\n\n        However, the Department excluded a significant amount of payments from its recapture\naudits without performing and documenting cost-benefit analyses to support the exclusions. In\naddition, the recapture audit process was focused on payments without a consideration of\nprogram factors that could increase or decrease the risk of improper payments, and recapture\naudits were limited to identifying duplicate payments. Although CGFS/OMA was analyzing\nways to perform recapture audits over excluded payment types, it had not completed that\nanalysis at the time of this audit. The recapture audit exclusions and focus have limited the\nDepartment\xe2\x80\x99s ability to identify and recover all improper payments and target recapture activities\non the highest risk programs.\n\nPrepayment Reviews Were Performed\n\n        OMB Circular A-123, Appendix C, states that when implementing a payment recapture\naudit program, agencies \xe2\x80\x9cshall have a cost-effective program of internal control to prevent,\ndetect, and recover overpayments.\xe2\x80\x9d Prevention activities are designed to prevent improper\npayments from occurring.\n\n        The Department had controls in place to help prevent improper payments from occurring.\nFor payments to vendors, vendors must submit invoices to either the Department\xe2\x80\x99s financial\nservice centers or to the foreign post that procured the good or service. For an invoice to be paid,\nan approved official must certify that the good or service was received and ensure that the\ninvoice is valid and accurate. Once the invoice is approved, two Department personnel, a\nvoucher examiner and a certifying officer, are required to process the payment. The voucher\nexaminer enters the transaction into the Department\xe2\x80\x99s accounting system and ensures that all\nsupporting documentation has been submitted. The certifying officer reviews the transaction and\nverifies that the supporting documentation is complete and the accounting data is correct. The\nDepartment\xe2\x80\x99s financial accounting systems have automated controls that also verify certain\npayment-related information. For example, the domestic financial management system does not\nprocess payments with duplicate invoice numbers from one vendor.\n\n        The Department uses other systems and processes to disburse payments for other\nactivities (for example, grant payments or payments to pensioners). The Department had\nprepayment controls in place for these payments as well. For example, grantee eligibility and\ncompliance with grant covenants on prior awards were reviewed prior to disbursement of grant\npayments. Pension payments were reviewed prior to disbursement against the \xe2\x80\x9cDo Not Pay\xe2\x80\x9d\nSocial Security listing to ensure payments were not made to deceased individuals.\n\nPost-Payment Reviews Were Performed as Part of Routine Payment Process\n\n      OMB Circular A-123, Appendix C, states that detection activities occur subsequent to\npayment and are intended to detect improper payments that may have occurred. These actions\n\n17Amount represents payment recapture audit recoveries and CGFS/F/C recoveries as disclosed in the Department\xe2\x80\x99s\nFY 2007-2012 AFRs.\n                                                      12\n\n                                            UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\ntest the accuracy of payment processes and identify improper payments made during those\nprocesses. For example, routine payment verification or quality control would review a universe\nof payments using criteria different than those used during prepayment reviews to detect\npotential improper payments.\n\n       The Department performed post-payment reviews as part of its routine payment process.\nSpecifically, CGFS/F/C selected random samples of payments on a monthly basis and reviewed\nthe sampled items for adequate support, proper approval, and the validity and accuracy of the\namounts disbursed. This process would identify payments made to individuals who should not\nhave received them, payments made in incorrect amounts, and payments that should not have\nbeen made. CGFS/F/C also used data-matching techniques to identify potential duplicate\npayments disbursed in the current fiscal year.\n\n        On a monthly basis, CGFS/F/C prepared a monthly Quality Management report that\nsummarized the improper payments identified. This report tracked improper payments identified\nagainst key metrics, including improper payments as a percentage of total payments issued.\nBased on its analysis of the improper payments, CGFS/F/C identified the root causes and trends\nof improper payments and reported the improper payments by office responsible, vendors paid,\nand bureau.\n\n       During FY 2012, CGFS/F/C identified $11.1 million in overpayments through its post-\npayment reviews. Of the $11.1 million in overpayments identified, CGFS/F/C recovered\n$10.9 million. CGFS/F/C also recovered additional improper payments, totaling $700,000, that\nwere identified during post-payment reviews in previous years.\n\nRecapture Audit Process Had Been Implemented\n\n        IPIA requires agencies to conduct recovery audits (also known as \xe2\x80\x9crecapture audits\xe2\x80\x9d) if\nconducting such audits would be cost effective. According to OMB Circular A-123, Appendix\nC, a recapture audit is a review and analysis of accounting and financial records, supporting\ndocumentation, and other information supporting payments that is specifically designed to\nidentify overpayments.\n\n        The Department had implemented a recapture audit process. CGFS/OMA performed\nrecapture audit activities by auditing domestic payments on a monthly basis. Specifically,\nCGFS/OMA extracted a data file of payments made during the previous month from the\ndomestic financial management system and imported the file into a data analysis tool.\nCGFS/OMA then performed a search for potential duplicate payments by comparing the invoice\nnumber and dollar amount of each payment in the monthly data file against the payments made\nduring the previous 3 years. Payments with the same invoice number and dollar amount were\nextracted into a separate file of potential duplicate payments. CGFS/OMA provided the potential\nduplicate payments to CGFS/F/C for review.\n\n       As reported in the Department\xe2\x80\x99s FY 2012 AFR, CGFS/OMA identified $35,357 in actual\nduplicate payments made during FY 2012. Of this amount, the Department recovered $35,141,\nwith only $216 outstanding at the time of this audit.\n\n                                               13\n\n                                       UNCLASSIFIED\n\x0c                                         UNCLASSIFIED\n\n\n       Post-Payment Review and Recapture Audit Results\n\n        Together, the Department\xe2\x80\x99s post-payment reviews and improper payments recapture\naudits identified improper payments totaling approximately $60.5 million from FY 2007 to FY\n2012. Of that amount, the Department recovered approximately $57.5 million, as shown in\nTable 1.\n\nTable 1. Improper Payments Identified and Recovered From FY 2007 to FY 2012\n                              Amount Identified            Amount Recovered\n       Fiscal Year                (in millions)                During FY\n                                                              (in millions)\n          2012                                  $11.1                       $11.6\n          2011                                   16.6                          15\n          2010                                    8.1                         7.9\n          2009                                    3.9                         3.8\n          2008                                   15.4                        14.3\n          2007                                    5.4                         4.9\n          Total                                 $60.5                       $57.5\nSource: Department AFRs from FY 2007 to FY 2012.\n\nRecapture Audit Methodology Needs Improvement\n\n         Although CGFS/OMA performed recapture audits, it excluded a significant amount of\npayments from the audits without conducting cost-benefit analyses to support these exclusions,\nas was required. In addition, CGFS/OMA focused its recapture audits on payments rather than\non programs, and the audits were limited to one type of improper payments\xe2\x80\x93duplicate payments.\nAt the time of this audit, CGFS/OMA was analyzing ways to perform recapture audits over\nexcluded payment types. The recapture audit exclusions and focus limited the Department\xe2\x80\x99s\nability to identify and recover all improper payments and target recapture activities on the\nhighest risk programs.\n\n       Recapture Audit Exclusions\n\n        OMB Circular A-123, Appendix C, states that agencies may exclude payments from\ncertain programs from payment recapture audit activities if the agency determines that payment\nrecapture audits are not a cost-effective method for identifying and recapturing improper\npayments. If an agency excludes a program that expends more than $1 million, the agency must\nnotify OMB and OIG of this decision and include any analysis used by the agency to reach this\ndecision.\n\n       The Department\xe2\x80\x99s FY 2012 recapture audit process did not include a significant amount\nof payments. Specifically, CGFS/OMA excluded, from payment recapture audits, the payments\nthat were made outside the CGFS/F/C payment process. For example, CGFS/OMA excluded\noverseas payments amounting to approximately $1.9 billion. These payments were processed by\nthe Department\xe2\x80\x99s overseas financial management system. CGFS/OMA also excluded grant\npayments amounting to approximately $1.8 billion that were made through the Payment\n\n                                                   14\n\n                                         UNCLASSIFIED\n\x0c                                            UNCLASSIFIED\n\n\nManagement System,18 which processes the majority of the Department\xe2\x80\x99s financial assistance-\nrelated payments. In addition, CGFS/OMA excluded pension annuity payments amounting to\napproximately $874 million19 that were processed by CGFS\xe2\x80\x99s Retirement Accounts Division.\nCGFS/OMA excluded these payments for a variety of operational reasons. For example, the\noverseas financial management system does not require that the invoice number, which is used\nby CGFS/OMA to identify duplicate payments, be entered for overseas payments, and in some\ncases, multiple invoices may be entered and the payments may be made with one disbursement.\n\n       CGFS/OMA also excluded certain payments that were processed by CGFS/F/C from the\nrecapture audits. The excluded payments included, but were not limited to, bulk payments,\nwhich included purchase card payments; shipping payments; and certain travel payments. These\nbulk payment exclusions exceeded $378 million in FY 2012.\n\n        As a result of the exclusions, the Department\xe2\x80\x99s FY 2012 recapture audit activities did not\ncover approximately $3.6 billion in payments subject to IPIA requirements. Although\nCGFS/OMA excluded a significant amount of payments, it did not perform and document a cost-\nbenefit analysis supporting the basis for these exclusions, as was required.\n\n        Recapture Audit Focus\n\n        IPIA requires agencies to conduct payment recapture audits for each program that\nexpends $1 million or more annually if conducting such audits would be cost effective. OMB\nCircular A-123, Appendix C, requires all programs exceeding the $1 million threshold, including\ngrant, benefit, loan, and contract programs, to be considered during the payment recapture audits.\nAgencies are required to review their different types of programs and prioritize conducting\npayment recapture audits on those categories that have a higher potential for overpayments and\nrecoveries.\n\n        CGFS/OMA\xe2\x80\x99s recapture audits focused on payments rather than on programs.\nCGFS/OMA\xe2\x80\x99s approach enabled it to include a large number of payments in the recapture audits.\nAlthough performing recapture audit activities based on payments is a beneficial internal control,\nusing a payment approach alone does not consider specific program characteristics that may\nincrease or decrease the risk for improper payments. For example, payments made for programs\nthat have a large number of disbursements and limited oversight resources, such as programs in\nwar zones or at some hardship posts, received the same level of review as payments for programs\nthat have a small number of disbursements and adequate resources. In addition, although the\namount of improper payments identified during recapture audits may appear to be insignificant\nto the Department as a whole using the payment approach, the amount of improper payments\nidentified for a specific program may be significant to the program. A more program-focused\napproach would enable CGFS/OMA to identify the programs that have a high rate of improper\npayments, target future recapture audit activities more efficiently on those programs, and identify\nand correct the circumstances that led to improper payments in those programs.\n\n\n18 The Payment Management System is a grant payment system maintained by the U.S. Department of Health and \n\nHuman Services.\n\n19 The amount disbursed to beneficiaries was disclosed in the Department\xe2\x80\x99s FY 2012 AFR, Note 10.\n\n\n                                                     15\n\n                                            UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n       The Department\xe2\x80\x99s recapture audits were also limited to a search for duplicate payments.\nThe audits did not search for other types of improper payments. For example, the audits were\nnot designed to identify overpayments or underpayments and were not designed to identify\npayments for goods and services not received, payments to ineligible recipients, fraudulent\npayments, or payments that lacked adequate support.\n\n       Limited Ability To Identify and Recover Improper Payments\n\n        The issues relating to recapture audit exclusions and focus were first reported in the 2012\nreport on the Department\xe2\x80\x99s FY 2011 compliance with IPIA. Since that report was issued,\nCGFS/OMA had not modified its recapture audit process. However, at the time of this audit,\nCGFS/OMA was analyzing ways to perform recapture audits over excluded payment types.\nSpecifically, CGFS/OMA was exploring ways to perform sampling of overseas payments.\nCGFS/OMA was also gaining an understanding of the payment controls over excluded grantee\nand retirement payments to determine whether it would be possible to construct a cost-effective\nrecapture audit program over those payments.\n\n        Without a sufficient cost-effective recapture audit program, the Department may have\nmade but had not identified and recovered all improper payments. A well-designed recapture\naudit process targets areas most susceptible to improper payments and leverages the latest\ntechnologies. Although traditionally used as a technique to identify improper payments already\nmade, recapture auditing results can also be used to identify trends in improper payments and\nimprove controls to prevent improper payments.\n\n      The 2012 report on the Department\xe2\x80\x99s FY 2011 compliance with IPIA included a\nrecommendation relating to the Department\xe2\x80\x99s recapture audit activities as follows:\n\nRecommendation 2 (AUD/FM-12-31). OIG recommends that the Bureau of Resource\nManagement develop policies and standard procedures for its recapture audit activities. These\npolicies and procedures should include, but not be limited to, the following:\n\n   \xef\x82\xb7   Program, as well as payment, audit activities to help target recapture audits on programs\n       or payment types that are deemed higher risk.\n   \xef\x82\xb7   Alternative procedures to audit payments occurring outside the Global Financial\n       Management System.\n   \xef\x82\xb7   Analytics and other proven recapture audit techniques (for example, predictive modeling,\n       additional forensic accounting tools, additional data matches, and financial incentives)\n       that address improper payments types other than duplicate payments.\n   \xef\x82\xb7   Requirements for performing a cost-benefit analysis for programs and payment types\n       excluded from recapture audit activities and communicating the exclusions to the Office\n       of Management and Budget and OIG.\n\n        CGFS/OMA has developed policies and procedures for its recapture audit activities.\nTherefore, OIG is closing this recommendation upon issuance of this report. However, the\npolicies and procedures do not address all OMB Circular A-123, Appendix C, requirements.\nCGFS/OMA should continue its efforts to identify ways to expand its audit coverage over\n\n                                                16\n\n                                        UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\ncurrently excluded payments and refocus its recapture activities on programs with a higher\npotential for overpayments and recoveries, as required by OMB Circular A-123, Appendix C.\n\n       Recommendation 2. OIG recommends that the Bureau of the Comptroller and Global\n       Financial Services revise existing policies and standard procedures for its recapture audit\n       activities to ensure compliance with all Office of Management and Budget requirements.\n       These revised policies and procedures should include, but not be limited to, the\n       following:\n\n           \xef\x82\xb7  Program, as well as payment, audit activities to help target recapture audits on\n              programs or payment types that are deemed higher risk.\n           \xef\x82\xb7 Alternative procedures to audit payments occurring outside the domestic financial\n              management system.\n           \xef\x82\xb7\t Analytics and other proven recapture audit techniques (for example, predictive\n              modeling, additional forensic accounting tools, additional data matches, and\n              financial incentives) that address improper payments types other than duplicate\n              payments.\n           \xef\x82\xb7\t Requirements for performing a cost-benefit analysis for programs and payment\n              types excluded from recapture audit activities and communicating the exclusions\n              to the Office of Management and Budget and Office of Inspector General.\n\n       CGFS Response: CGFS concurred with the recommendation, stating that it will\n       \xe2\x80\x9cimplement corrective actions as appropriate.\xe2\x80\x9d\n\n       OIG Reply: OIG considers the recommendation resolved. This recommendation can be\n       closed when OIG confirms that the Department has revised its existing policies and\n       procedures related to recapture audit activities.\n\nC. Most Improper Payments Disclosures Were Made, but Some Were\nOmitted or Were Inaccurate\n        The Department\xe2\x80\x99s FY 2012 AFR included improper payments disclosures that provided a\nhigh-level understanding of the Department\xe2\x80\x99s IPIA risk assessment process and recapture audit\nactivities and results. However, the AFR did not include all OMB-required disclosures, and\nother disclosures were inaccurate. By not including complete and accurate information in its\nAFR, the Department is not providing users with complete information about its efforts related to\nimproper payments.\n\nMost Improper Payments Disclosures Were Made\n\n       IPIA states that for an agency to be in compliance with the Act, the agency must publish\nan annual financial statement for the most recent fiscal year and post that report, with the\ninformation on improper payments required by OMB, on the agency\xe2\x80\x99s Web site. OMB Circular\nA-123, Appendix C, requires an agency to disclose specific information relating to improper\npayments in its annual AFR in the format provided in OMB Circular A-136, Revised, Financial\nReporting Requirements.\n                                               17\n\n                                       UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\n        The Department published its FY 2012 AFR on its Web site. The AFR included most of\nthe required improper payments disclosures. For example, the AFR included summary\ninformation on improper payments, a general description of the Department\xe2\x80\x99s risk assessment\nprocess, and a description of the Department\xe2\x80\x99s payment recapture audit program. The\ninformation reported in the AFR provided a high-level understanding of the Department\xe2\x80\x99s IPIA\nrisk assessment process and recapture audit activities and results.\n\nSome Required Disclosures Were Omitted or Were Inaccurate\n\n        Although the Department included most of the required disclosures in its AFR, several\ndisclosures were omitted. For example, OMB Circular A-136 requires that an agency provide a\nbrief description of its progress on eliminating and recovering improper payments in the\nManagement\xe2\x80\x99s Discussion and Analysis section of its AFR. OMB Circular A-123, Appendix C,\nrequires that an agency report the basis for its groupings of programs in the AFR and provide a\ndescription and justification of the classes of payments excluded from payment recapture audits.\nThe Department did not make these disclosures in its FY 2012 AFR. These issues were first\nreported in the 2012 report on the Department\xe2\x80\x99s FY 2011 compliance with IPIA.\n\n        In addition, the Department\xe2\x80\x99s payment recapture tables in the AFR did not follow the\nformat provided in OMB Circular A-136, and the Department did not include all required\ninformation in the tables. Specifically, the tables did not include columns to identify the\nprograms for which recapture audits were performed, as was required. Further, the recapture\ntables did not include complete information on the payments identified and recovered through\nsources other than payment recapture audits. The Department included the amounts identified\nand recovered by CGFS/OMA during recapture audit activities and by CGFS/F/C during post-\npayment reviews as well as OIG recoveries. However, the Department did not track and assess\ninformation on payments identified and recovered in other Department offices and bureaus, such\nas contract closeout recoveries, recoveries resulting from grant compliance reviews, and pension\noverpayment recoveries. This issue also was first reported in the 2012 report.\n\n        Kearney also identified some information in the AFR that may be misleading. In its\ndescription of the recapture audit analysis, the Department stated that the domestic payment file\nused during the analysis \xe2\x80\x9cpresently includes the majority of payments subject to IPERA\nrequirements such as most domestic vendor payments and grant payments.\xe2\x80\x9d However,\nCGFS/OMA did not include grant payments made through the Payment Management System in\nits recapture audits. These payments make up the majority of grant payments made by the\nDepartment. Further, the recapture tables include a column for identifying the type of payment\nincluded in the payment recapture audit. In the Department\xe2\x80\x99s payment recapture tables, this\ncolumn indicated that all payments were subject to the review. However, as discussed in Finding\nB, CGFS/OMA excluded, from its payment recapture audits, certain payment types, including\noverseas payments, Payment Management System grant payments, pension annuity payments,\nand bulk payments. These issues also were reported in the 2012 report.\n\n       By not including all required information in its AFR, the Department did not provide\nusers with relevant and reliable information about its efforts to prevent and identify and recover\n\n                                                18\n\n                                        UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\nimproper payments. AFRs play a key role in fulfilling the Government\xe2\x80\x99s duty to be accountable\nfor the use of public funds, and AFRs can be used to assess an agency\xe2\x80\x99s efficiency and\neffectiveness in performing activities such as identifying and recapturing improper payments.\nThe results of an agency\xe2\x80\x99s actions related to improper payments should be available not only to\nCongress and agency management but also to the general public.\n\n      The 2012 report on the Department\xe2\x80\x99s FY 2011 compliance with IPIA included a\nrecommendation relating to the Department\xe2\x80\x99s improper payments reporting as follows:\n\nRecommendation 3 (AUD/FM-12-31). OIG recommends that the Bureau of Resource\nManagement develop policies and standard procedures that ensure that the improper payments\ninformation included in the Department of State Agency Financial Report is complete and\naccurate.\n\n        CGFS/DCFO/MC has developed formal policies and standard procedures for preparing\nthe disclosures since the 2012 report. Therefore, OIG is closing this recommendation upon\nissuance of this report. However, because the policies and procedures did not ensure that all\nrequired improper payments disclosures were made, CGFS should improve its controls over\nimproper payments reporting.\n\n       Recommendation 3. OIG recommends that the Bureau of the Comptroller and Global\n       Financial Services enhance existing policies and standard procedures to ensure that the\n       improper payments information included in the Department of State Agency Financial\n       Report is complete and accurate.\n\n       CGFS Response: CGFS concurred with the recommendation, stating that it will\n       \xe2\x80\x9cimplement corrective actions as appropriate.\xe2\x80\x9d\n\n       OIG Reply: OIG considers the recommendation resolved. This recommendation can be\n       closed when OIG confirms that the Department has enhanced its policies and procedures\n       for including improper payments information in the Agency Financial Report.\n\n\n\n\n                                              19\n\n                                      UNCLASSIFIED\n\x0c                                      UNCLASSIFIED\n\n\n\n                                List of Recommendations\n\nRecommendation 1. OIG recommends that the Bureau of the Comptroller and Global Financial\nServices\n\n   \xef\x82\xb7\t Conduct full baseline risk assessments for all programs.\n   \xef\x82\xb7\t Refine its definition of a program in accordance with guidance from the Office of\n      Management and Budget and identify programs for risk assessments consistently, using\n      that definition.\n   \xef\x82\xb7 Refine its definition of significant changes in funding to include a consideration of\n      programs with significant percentage changes.\n   \xef\x82\xb7 Refine the risk assessment process to provide additional guidance for rating each risk\n      factor.\n   \xef\x82\xb7 Implement a method to obtain input from the bureaus and offices responsible for the\n      programs.\n\nRecommendation 2. OIG recommends that the Bureau of the Comptroller and Global Financial\nServices revise existing policies and standard procedures for its recapture audit activities to\nensure compliance with all Office of Management and Budget requirements. These revised\npolicies and procedures should include, but not be limited to, the following:\n\n   \xef\x82\xb7  Program, as well as payment, audit activities to help target recapture audits on programs\n      or payment types that are deemed higher risk.\n   \xef\x82\xb7 Alternative procedures to audit payments occurring outside the domestic financial\n      management system.\n   \xef\x82\xb7\t Analytics and other proven recapture audit techniques (for example, predictive modeling,\n      additional forensic accounting tools, additional data matches, and financial incentives)\n      that address improper payments types other than duplicate payments.\n   \xef\x82\xb7\t Requirements for performing a cost-benefit analysis for programs and payment types\n      excluded from recapture audit activities and communicating the exclusions to the Office\n      of Management and Budget and Office of Inspector General.\n\n\nRecommendation 3. OIG recommends that the Bureau of the Comptroller and Global Financial\nServices enhance existing policies and standard procedures to ensure that the improper payments\ninformation included in the Department of State Agency Financial Report is complete and\naccurate.\n\n\n\n\n                                              20\n\n                                      UNCLASSIFIED\n\x0c                                              UNCLASSIFIED\n\n\n\n                                                                                                    Appendix A\n\n                                       Scope and Methodology\n        The Improper Payments Elimination and Recovery Act of 20101 (IPERA), which\namended the Improper Payments Information Act of 20022 (IPIA), requires the Office of\nInspector General (OIG) to conduct an annual audit of the Department of State\xe2\x80\x99s (Department)\ncompliance with improper payments requirements. In accordance with the IPERA requirement,\nan external audit firm, Kearney & Company, P.C. (Kearney), acting on OIG\xe2\x80\x99s behalf, performed\nthis audit to determine whether the Department was in compliance with IPIA, as amended by\nIPERA.3\n\n       Kearney conducted this performance audit from December 2012 through February 2013\nin Washington, D.C., and at the Office of Global Financial Services in Charleston, South\nCarolina. Kearney planned and performed the audit in accordance with performance audit\nrequirements in the Government Accountability Office\xe2\x80\x99s Government Auditing Standards,\nDecember 2011 Revision. Those standards required that Kearney obtain sufficient, appropriate\nevidence to provide a reasonable basis for findings and conclusions. The sufficiency and\nappropriateness of evidence needed and tests of evidence related directly to the objective and\nscope of the audit.\n\n        Kearney focused the scope of the audit on the following areas: (1) evaluating whether\nthe Department conducted a program-specific risk assessment for all programs; (2) evaluating\nthe Department\xe2\x80\x99s performance in preventing, detecting, and recapturing improper payments; and\n(3) determining whether the Department reported the required improper payments information in\nits 2012 Agency Financial Report (AFR).\n\n        Kearney designed the audit to obtain insight into the Department\xe2\x80\x99s current processes,\nprocedures, and organizational structure with regard to compliance with IPIA requirements. To\nexpedite the audit process, Kearney leveraged the results of its FY 2012 financial statement audit\nand audit of the Department\xe2\x80\x99s FY 2011 compliance with IPIA to confirm its understanding of the\nnature and profile of Department operations, IPIA standards, regulatory requirements, and\nsupporting information systems and controls.\n\n        Kearney conducted process walkthroughs and interviews with Department officials to\nobtain a sufficient understanding of the steps taken by the Department to assess the risk of\nimproper payments; its process of identifying significant improper payments; the steps taken to\nprevent, reduce, and recapture improper payments; and the process of reporting improper\npayments. Consistent with the fieldwork standards for performance audits, Kearney established\nperformance criteria and identified sources of audit evidence to complete the testing phase.\n\n        The testing phase provided Kearney with evidence to determine the findings of the report\nissued for the performance audit. The criteria determined in the planning phase served as the\n\n1 Pub. L. No. 111-204 \xc2\xa73(b).\n\n2 Pub. L. No. 107-300.\n\n3 Unless otherwise indicated, the term \xe2\x80\x9cIPIA\xe2\x80\x9d means \xe2\x80\x9cIPIA, as amended by IPERA,\xe2\x80\x9d in this report.\n\n\n                                                       21\n\n                                              UNCLASSIFIED\n\x0c                                       UNCLASSIFIED\n\n\nbases for assessing the Department\xe2\x80\x99s compliance with IPIA requirements. The testing phase\nincluded procedures to assess the Department\xe2\x80\x99s IPIA reporting process, the recapture audit\nprocess, and the AFR disclosures.\n\n        During the reporting phase, Kearney formally communicated the conclusions reached and\nthe findings and recommendations.\n\nWork Related to Internal Controls\n\n        Kearney performed steps to assess the adequacy of internal controls related to the areas\naudited. Specifically, Kearney assessed the controls contained in the Department\xe2\x80\x99s policies and\nprocedures for making payments, performing risk assessments, reviewing payments, and\nreporting improper payments information. However, Kearney did not perform testing of these\ncontrols because it was beyond the scope of this audit.\n\nUse of Computer-Processed Data\n\n        Kearney obtained computer processed data (that is, spreadsheets) and reporting packages\nto aid in determining whether the Department had complied with IPIA. More specifically, these\ndata provided evidence that the Department had taken steps to comply with IPIA. Kearney did\nnot perform tests to validate the spreadsheet amounts because such testing was not necessary to\naccomplish audit objectives. However, Kearney assessed the data provided as reasonable based\non its understanding of the financial information gained during the audit of the Department\xe2\x80\x99s FY\n2012 financial statements.\n\n\n\n\n                                               22\n\n                                       UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n                                                                                                         Appendix B\n\n                                                                 UIlIIl:d Slill l:,> De parlment of Stat I.!\n                                                                 ( \'olllplrollL\'1\'\n                                                                 IWi\') f),\'(\'" h \'",UI,\'\n                                                                 (\'IIarh"\'OII _\\ ( !V.JO\'i\n\n                                                                 MAR 1 3 2013\nUNCI.ASSIFIEp\n\nj\\\'IEMORAN n Ut\\l\n\nTO:             OIG - llurry W.   G~isd\n\n\nFROM:           CGFS - J:Ulles L. Mi IiCIIf \\\n\nSUBJECT:        Droll Repon on Audit or Dcpartmenl or Slate FY 2012 Compliance Wilh the\n                Improper Payments R~quirelllcnts\n\nThank you ror the opponunity to comment on ti1c Office orlnspector Gencrnl\'s (OIG) Draft\nReport titll\'<l Audit or Departlllcni of Slatc FY 2012 Compliance with the Improper Pilyments\nRl:quirements.\n\nThis compliance audit is rclathcly new in only its second year of rcquircd reportin~ to OMR and\nCon~rcss ror FY 2012, Significant amendments hu ve been mude in the pust rew ycars regarding\nII\' IA, with the pllssage of IPERA (1mpropeT Payments Elimination and Reem\'ery Act) and mOSI\nrecently [PEKIA (hllpropl:r Payme nts Elimi nution and Recovery Improvement Act). The\nDepanmcnt has made signi ficant efforts to comply \\\\ ith all guidance in a manner that also\nleverages the good ste"ardship of gOVcnlmenl funds and ensures our initialives arc eOSI\xc2\xb7\neffective. We tal..e pride that our progr.tm is compliant with IPI A, but we recogui7.c that mott:\nimpro\\cments can be made and will continue doing so. As such. we concur with the OlG\n~ommendlltiolls. Thc Departmcnt takes 1i1c OIG rcrommcndations ,"cry seriously. as\ndemonstrated by the accomplishments nOled in the report. We will carcfully cYalulllc the ne\\\\\nrecommendations made and implementthcm to the e)(tent the), are nlx\'neficinl and cost\xc2\xb7dTccth\'e\nusc of government runds. Afier we havc fully cYlllual!..\'(\\ the recommendations. we will\nimplemcnt corrective actions as appropriutc. In pmticular. we will work closely with the OIG as\nwe refinc our definition ofprogrnms ilnd conduct full baseline risk nsscssmcnts in FY 2013.\n\n         As aekno\\\\ledged in the Draft Repon. the Dcpurtmcnt employs numerous preventative\nand identification methods to suppon II\'IA rcquiremcnts. We have dedieuted considerable\nresources to prc\\\'ent impropc.\'r pa),mcnts frolll oceunillg. and take pride in our truck record of\nsuccess baSl\'(\\ on the low volume ofuctual improper piI)\'lIlcnts identified and I\\."\'CO\\cred each\nyear, Prior I PIA regulato!) guiwUlee was geared toward high.risk programs and activities that\nwere decml\'<l susceptible to significant improper payments. Despite h:wing no programs or\nactivities susceptible to significant improper payments. ns previously defined. the Department\nuses risk assessment and rcrapturc initiatives to assist in identirying improper payments and\nrelated payment issues. With the implementation orour Global Financial Management System\nin 2007. we rully integrated acquisitions into Ihe financia l system at the line level, signi ficantly\n\n\n                                            UNCLt\\SSIJILD\n\n\n\n\n                                                   23\n\n\n                                        UNCLASSIFIED\n\x0c                                        UNCLASSIFIED\n\n\n\n\n                                            iJNCLASS1FIEU\n                                                  \xc2\xb72\xc2\xb7\n\n\nenhanci ng the integrit y of our payments. In addition. we arc strengthening (l Ur payment internal\neonlrol!> through our efforts under UMlJ\'s 00 Not I\'ay initiati ve. For e.\'(ample. the Department\nhas alread y implemented procedures 10 compare OUT payments to Foreign Service annuila nts\nagain!>! the Social Security Admi ni stration\'s master death tHe.\n\nWe reeogniLe that th..: II\'ERA. [PER IA und related guidance has raisct..l thc har on transp(l rentl y\naccounting for nnd prcv{\'nting improper payments lor all Agcncio:-s. including the Department.\nWe an:: commilled to meeting thcse compl iance requ i remenl~ in a reasoned manner. Wo:- look\nforwllrd to working with bolh the OIG and the Independent Auditor on further enhancements to\nour existing programs in the coming ycar.\n\nIf you h~lVe any question~ concerning this status sUlIlmary. please conlaCI Carole Clay\n(l."UFSIDCFO/MC) uI202-663-(b)(2)(b)(6)\n\n\n\n\n                                                   24\n\n\n                                        UNCLASSIFIED\n\n\x0c       UNCLASSIFIED\n\n\n\n\n\n FRAUD, WASTE, ABUSE,\n\n OR MISMANAGEMENT\n\nOF FEDERAL PROGRAMS\n\n   HURTS EVERYONE.\n\n\n          CONTACT THE\n\n  OFFICE OF INSPECTOR GENERAL\n\n             HOTLINE\n\n       TO REPORT ILLEGAL\n\n    OR WASTEFUL ACTIVITIES:\n\n\n\n         202-647-3320\n\n         800-409-9926\n\n      oighotline@state.gov\n\n          oig.state.gov\n\n\n   Office of Inspector General\n\n    U.S. Department of State\n\n         P.O. Box 9778\n\n     Arlington, VA 22219\n\n\n\n\n\n       UNCLASSIFIED\n\n\x0c'